cvedb.io
CVE-2026-40295
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2026-05-22T20:16:34.013 · Last modified 2026-06-17T10:44:57.623

Summary

Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected. Expired-session us

Affected products

heartcombo — devise

Does this affect you?

Add your gear to cvedb and we'll alert you only when heartcombo ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.